Integration overview
Integrating Oracle Database 19c Transparent Data Encryption (TDE) with the Vectera Plus requires the Futurex PKCS #11 (FXPKCS11) library. Once configured, the Master Encryption Key (MEK) used for TDE can be stored within the confines of a FIPS 140-2 Level 3 validated HSM (i.e., the Vectera Plus), adding a layer of protection for data at rest.
The Master Encryption Key encrypts the Oracle Table Keys, which encrypt or decrypt columns or tablespaces locally in the database. Each table has its own table key. From the client application perspective, the encryption and decryption process is transparent, so there is no need to make any changes to the existing application. Futurex recommends that the connection between the Futurex PKCS #11 library and the Vectera Plus be a mutually authenticated TLS connection, but server side authentication is also supported.
The instructions for configuring the Futurex PKCS #11 library with Oracle Database running in a Docker container only covers using TLS certificates for mutual authentication.
This guide provides the required information to configure Futurex PKCS #11 with Oracle Database 19c so that the TDE Master Encryption Key can be generated and stored on the Vectera Plus to be used for encrypting the Oracle Table Keys.